Android camera and mic to steal PINs; Motorola electronic skin tattoo to detect lies?

Filing a patent application does not always lead to an actual product, but Motorola potentially has big, creepy plans to combine an electronic tattoo, that is coupled to a mobile device, with a lie-detector.  

Tattoos could double as an electronic lie detector paired to smartphone?

Regina Dugan, who leads Motorola's Advanced Technology and Project group, previously discussed the future of authentication such as wearable authentication in the form of digital tattoos, or passwords that could be managed via popping a daily authentication vitamin. Dugan, the former head of DARPA, discussed those possibilities at the All Things Digital D11 conference this past summer. Apparently Motorola would like to do more authentication with digital tattoos as pointed out last week when The Register found a patent application “for a ‘system and method’ to tattoo a mobile-device microphone with lie-detector circuitry onto your throat.”

Because we use our mobile devices in “noisy environments,” the main point for the electronic skin tattoo “applied to the throat region” would be to reduce “acoustic noise with an auxiliary voice input.” The description suggests the electronic tattoo would “include an embedded microphone; a transceiver for enabling wireless communication with the MCD (mobile communication device) and a power supply configured to receive energizing signals from a personal area network associated with the MCD.”

According to the “Coupling an electronic skin tattoo to a mobile communication device” patent, predetermined patterns could be programmed into the electronic tattoo for different “security” functions. Examples of predetermined patterns included those that are "based on a user's vocal intonation, on a specific word or words, on a melody, or on a harmonic tone/vibration." Those predetermined patterns could serve different functions such as to stop sending data, to send a preformatted message to a predetermined destination, or to send an emergency message to 911.

The “lie-detector” portion that jumped out to The Register states, “Optionally, the electronic skin tattoo can further include a galvanic skin response detector to detect skin resistance of a user. It is contemplated that a user that may be nervous or engaging in speaking falsehoods may exhibit different galvanic skin response than a more confident, truth telling individual.”

While such an electronic tattoo could be used for hands-free phone calls, it’s doubtful that people would want a lie detector implanted on their throat region. But just as a patent does not always equal a product, not all proof-of-concept attacks are carried out by criminals in the real world. That doesn’t stop security researchers from finding new ways to potentially steal information from smartphones.

PIN Skimmer side-channel attack

Last week, at the 3rd Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), University of Cambridge researcher Ross Anderson presented a new side-channel attack, "PIN Skimmer: Inferring PINs Through The Camera and Microphone" [pdf]. Anderson explained, “We found that software on your smartphone can work out what PIN you’re entering by watching your face through the camera and listening for the clicks as you type.” The PIN Skimmer paper states:

By recording audio during PIN input, we can detect touch events. By recording video from the front camera during PIN input, we can retrieve the frames that correspond to touch events. Then we extract orientation changes from the touch-event frames, and we show that it is possible to infer which part of the screen is touched by users.

Previous research such as Soundminer sensory malware, that listens to phone calls and steals credit card numbers either spoken or entered on the keypad, or TouchLogger that records taps like a smarphone keylogger, has “shown how to work out PINs using the gyro and accelerometer; we found that the camera works about as well. We watch how your face appears to move as you jiggle your phone by typing.”

Pin Skimmer 50 percent of PINs after 5 attempts on Galaxy S3 and Nexus S

Yeah, but will it really work? The researchers report that it's fairly accurate. "When selecting from a test set of 50 4-digit PINs, PIN Skimmer correctly infers more than 30% of PINs after 2 attempts, and more than 50% of PINs after 5 attempts on android-powered Nexus S and Galaxy S3 phones."

There have been efforts to design a secure electronic wallet so sensitive data like bank credentials can’t be stolen by malware, but this newest side-channel attack would blow those plans to smithereens. Anderson wrote, “Our work shows it’s not enough for your electronic wallet software to grab hold of the screen, the accelerometers and the gyro; you’d better lock down the video camera, and the still camera too while you’re at it. (Our attack can use the still camera in burst mode.)”

This newest information-stealing attack is not the first and will most assuredly not be the last to raise security and privacy awareness as well as concerns. But as Google’s Motorola Mobility patent highlights, potential wearable computing inventions to make smartphone use easier, better or more secure can also be creepy if you value privacy. The flip-side is that the NSA would probably love it if we’d voluntarily submit to wearing lie detector tattoos paired to our mobile devices . . . talk about leaking sensitive information!

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.